Smartsheet for Vendors

Welcome to the Smartsheet Vendor Portal!

You will find instructions and resources to answer most questions that arise during the vendor onboarding process.

Fist Bump

Supplier Diversity Commitment

At Smartsheet, we believe in working with suppliers who share our commitment to diversity, equity, and inclusion, and represent the communities in which we operate. 

We recognize that having a diverse set of suppliers is a competitive advantage and a powerful business strategy. 

We are committed to proactively identifying, building relationships with, and purchasing goods and services from certified minority, women, veteran, disability, and LGBTQ- owned businesses, because supplier diversity expands and enhances our business and aligns with our core values.

Register as a Smartsheet Vendor

Smartsheet uses Coupa to manage vendor purchases and track invoices. In order to be set up as a Smartsheet vendor, you must create a Coupa account and register as a Smartsheet vendor.

If this is your first time registering as a Smartsheet vendor, once Smartsheet has decided to purchase your service, Smartsheet's procurement team will send you a Welcome Email with a link to create an account as a Smartsheet vendor. If you do not receive this email, please contact procurement@smartsheet.com for assistance

Welcome Email

If this is your first time registering, you will receive an email from Smartsheet.

Click Join and Respond at the bottom of the email to begin the registration process.

 

Create a Password

To begin the registration, you will be prompted to create a password. 

In order to create a Coupa account and register as a Smartsheet vendor, you must review and agree to the relevant Coupa Supplier Portal terms.

If you agree and accept these terms, check the box, then click Submit. You can also forward the invite to a different person in your organization from this page.

Creating Your Profile

 

community

General Information

Profile Dropdown

This should be Smartsheet

Legal Name

Your company’s full legal name

Doing Business As (DBA) Name

Leave blank if not applicable

Legal Entity

Choose from the dropdown

Federal Tax ID

US companies only

Tax Form

US companies please attach a W-9, international companies please attach a W-8

Goods & Services Provided

Please list the goods & services you provide

DUNS Number

Leave blank if not applicable

Primary Contact

This will default based on who the invite email has been sent to

Primary Address

This is your primary office location.  You will have the option to add a separate Remit To & Shipping address later in the process.

Accounts Payable Information

Choose a payment type from the dropdown:

  • ACH- US Suppliers only
  • Wire- Recipients outside the United States

Remit To Address

Click the "Add" button to enter a Remit To address.

A new window will appear.  Enter your Legal Entity Name, choose your country from the dropdown, then click Continue.

A new window will appear called "Where do you want to receive payment?".

Choose ADDRESS in Payment Type dropdown. 

You will have a chance to enter your banking details in a few steps.  Click Save & Continue. Click Next. 

A new window will appear.  Complete the "What address do you invoice from section".

Click Save & Continue at the bottom of the page.

 

 

Click Next, then Done if no revisions to the Shipping Address are needed.

You will be returned to the main page of the General Information form. 

Banking Details

Banking Information, Credit Card Acceptance

Please enter your banking details and check whether or not you accept credit cards as a form of payment. 

 

Banking Form

Please attach banking information on bank or company letterhead if you have a copy

Completing & Submitting General Information Form

Preferred Currency, PO Email

  • Choose the preferred currency from the dropdown
  • PO Email is the email address for Purchase Orders

 

 

 

Method of Invoicing

Choose from the list of options.  If you are unsure choose Supplier Actionable Notification.

Certificate of Insurance

If applicable, please enter dates & attach your COI

Supplier Diversity

Choose from dropdown & attach certificate or choose NA

Click Submit at the bottom of the form

Scroll back to the top of the form.  If the bar at the top is red, correct any mistakes indicated and resubmit. If the bar at the top is green, the form status will be "Pending Approval" from Smartsheet.

 

Editing the Form

If you notice an error in the form, click on the “Withdraw” button at the bottom of the form.

A popup will appear, click “OK”. This will open the form again to edit.

Make the necessary changes and click “Submit for Approval” once the changes have been made.

Smartsheet Vendor Policies

 

proven

Vendor Code of Conduct

Smartsheet is committed to ethical business conduct and expects that its vendors will share and embrace this commitment as well. By “vendor”, we mean any company, supplier, firm, or contractor that provides a good, product, or service to Smartsheet. As such, Smartsheet endeavors to have each vendor commit to the following minimal business ethics:

Employee Rights

The fair treatment of a company’s employees is inherent in all ethical business conduct. Given this commitment to the fair treatment of employees, vendors must:

  • Provide a work environment free of sexism, racism, harassment, and discrimination of any sort
  • Base all hiring and termination decisions on permissible factors and not on any discriminatory or illegal considerations
  • Ensure its employees, agents, and contractors have a safe and healthy work environment and are paid a living wage under humane and ethical conditions
  • Endeavor to maintain an inclusive and diverse workforce
  • Ensure that overtime is voluntary and paid in accordance with applicable laws and regulations
  • Not use forced, slave, indentured, bonded, trafficked, prison, or child labor of any sort or do business with any other vendor or contractor that uses such labor
  • Not engage in human trafficking of any sort or do business with any entity that engages in human trafficking
  • Respect all individuals’ human rights including the rights of freedom of association and movement

Business Practices

A company’s standard practices and processes are also key to ensuring ethical business conduct. In order to ensure ethical business conduct, vendors must:

  • Respect and be responsible for protecting Smartsheet’s and its customers’ property, data, and assets and only use the same for their intended and authorized purposes*
  • Respect the confidentiality and data privacy of Smartsheet and its employees and agents and customers*
  • Promptly notify Smartsheet of any unauthorized disclosure or access to Smartsheet’s or its customers’ property, data, assets, or confidential information and of any breach of the data privacy of the same*
  • Use good judgment, discretion and moderation when offering gifts or entertainment to Smartsheet employees or its vendors.
  • Do not give gifts, meals, or entertainment to Smartsheet employees or its vendors or contractors that might constitute or give the appearance of a bribe or impropriety or create a conflict of interest
  • Maintain honest and accurate accounting and business records, including reasonable documentation to demonstrate compliance with this Vendor Code of Conduct
  • Implement and maintain appropriate processes, including due diligence, audits, and similar activities, for the monitoring of vendor’s own operations and the evaluation and monitoring of its own vendors and contractors
  • Ensure that its own vendors comply with this Vendor Code of Conduct or with their own substantially similar Code of Conduct

*Please see Vendor Privacy and Data Handling Expectations (below) for additional expectations related to information security and data privacy.

Legal Compliance

All ethical business conduct is rooted in compliance with law. As such, vendors must:

  • Conduct its business activities in full compliance with all applicable laws, rules and regulations, including, but not limited to, all environmental, anti-corruption, anti-bribery, data privacy, and employment and labor laws
  • Comply with all national and international trade laws and regulations that apply to Smartsheet and its vendors
  • Any gifts, meals, or entertainment given or offered to Smartsheet employees or its vendors must comply with all applicable laws, must not violate the giver’s and/or recipient’s policies on the matter, and must be consistent with local custom and practice.
  • Comply with the intellectual property ownership rights of Smartsheet and others, including but not limited to copyrights, patents, trademarks and trade secrets
  • Not access or use any material non-public information to make any decision to buy, sell, or trade Smartsheet stock or otherwise participate in insider trading

Reporting of Questionable Behavior or Possible Violations

If you wish to report any questionable behavior or possible violation of this Vendor Code of Conduct, you are encouraged to work with your primary Smartsheet contact in resolving a business practice or compliance concern. However, Smartsheet recognizes that there may be times when this is not possible or appropriate. In such instances, please contact the Smartsheet Legal department directly at legal@smartsheet.com. 

Smartsheet will not tolerate any retribution or retaliation taken against any individual who has in good faith sought out advice or has reported questionable behavior or a possible violation.

 

 

Vendor Privacy and Data Handling Expectations

Privacy and security practices are at the heart of Smartsheet’s business model, and are essential to the trust we have established with our customers. We expect similar commitments to privacy and security from our service providers, suppliers, business partners, and any other entity that provides goods, products, or services to us (“Vendors”).  The purpose of these “Expectations” document is to establish those minimum information security and data privacy standards that we expect Vendors to abide by when performing “services” (i.e., professional or consulting services, cloud software services, software licenses, or providing other goods, products, or services of any sort) for Smartsheet or “processing” (as defined by the Applicable Data Protection Laws) of Smartsheet Information.

Minimum Expectations

Provide Notice to Individuals

Vendors should notify individuals - meaning, any identified or identifiable natural person - about their privacy practices and, if applicable to their business practices, assign a Data Protection Officer (as defined in the GDPR). At a minimum, the notification to individuals must include:

  • a description of types of Personal Data collected;

  • the purposes for which Vendor collects and stores Personal Data;

  • A description of ways in which Personal Data is used by Vendor; 

  • the types or identities of third parties with which Company shares Personal Data and the purposes for doing so;  

  • a notice informing individuals that they have legal rights (including access, deletion, objection, rectification, etc.) to their Personal Data and their options for exercising such rights, including limiting the use and disclosure of their Personal Data;

  • contact information for any inquiries or complaints, including any relevant establishment in the EU that can respond to individual inquiries or complaints; and

  • a notice to Customers of the possibility to invoke binding arbitration and/or notify a competent data protection authority. 

 

Providing Choice to Data Subjects

Vendors should provide individuals the opportunity to choose if Personal Data (i) will be disclosed to a third party, or (ii) used for a purpose other than that for which it was originally collected or subsequently authorized. 

Accountability for Onward Transfers of Data

Vendors should only provide Smartsheet Information to service providers who perform tasks on behalf of and under the Vendor’s instructions and only if such service providers are under confidentiality, security, and data privacy obligations substantially similar to the obligations Vendor owes to  Smartsheet. Further Vendors should notify Smartsheet of any such service providers in advance of disclosing any Smartsheet Information. 

Vendors should only transfer, disclose, or share Personal Data in accordance with their publicly posted privacy notice.

Security

Vendors should implement and maintain administrative, technical, and physical safeguards to protect Smartsheet Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The appropriate administrative, technical, and physical safeguards must ensure a level of security appropriate to the risk. Examples of safeguards include:

  • Administrative safeguards: Only allowing personnel with a business need access to systems; evaluating personnel access levels based on role. 

  • Technical safeguards: Require all personnel to lock computers when away from their desks; storing information on a secure network with monitored firewall protection; requiring user authentication via password before allowing access to electronic information systems. 

  • Physical safeguards: Storing documents containing data in secured cabinets or rooms; ensuring that documents containing customer information are not left on desks or in other locations that may be visible to individuals not authorized to access data.

Data Integrity and Purpose Limitation

Processing of Smartsheet Information should be limited to the purposes for which it was collected (e.g., honoring contractual commitments), which may include providing the services or compatible purposes (e.g., customer relations, compliance and legal considerations, auditing, security and fraud prevention, or preserving or defending legal rights). 

 

The collection, use, disclosure, transmission, storage and/or disposal of Smartsheet Information should be limited to the extent necessary for a specific business purpose(s), in accordance with data minimization or least privileged principles. Vendors should only use Smartsheet Information, including Personal Data, where a valid need for the information exists. This means limiting the scope of data collected/used and the number of physical and electronic copies; and the retention period of the data. Such purpose limitations should reflect:

  • Data Collection: Vendor should only collect Smartsheet Information and Personal Data that is appropriate for a specific, intended, and authorized use. Vendors should adopt and communicate to their personnel a data collection policy that takes into consideration the following rules:

  1. collect only accurate Personal Data; 

  2. keep Personal Data up-to-date; and

  3. collect Personal Data for fair and lawful purposes only that are transparent to individuals. 

  • Authorized Use: To access, use, transmit, handle or receive Personal Data, Vendors personnel should be permitted under law, regulation, customer agreements and internal policies to do so, and have a legitimate "need to know" that Personal Data. That authorization only extends to the specific data for which there is a  legitimate “need to know” for the purposes of performing the services. 

  • Disclosure to Third Parties: Vendors should only share Personal Data with third parties as permitted by law and regulation, and pursuant to customer agreements. No other disclosures to any third party should be permitted. 

  • Downloading Personal Data: Smartsheet Information should not be downloaded or stored on any personal device or any other device not controlled by Vendor. 

  • Storage of Data:​ Vendors should only store Smartsheet Information as necessary for and in accordance with (i) the contract between theVendor and Smartsheet, and (ii) the Vendor’s internal policies (e.g., data retention and disaster recovery policies). 

  • Transmission of Data:​ Vendors should not transmit (e.g., via mail, fax, email, instant messaging, etc.) Smartsheet Information without ensuring applicable security controls are in place. Vendors should not transmit such data to anyone who does not need the information. Care should be taken to ensure that emails are sent only to intended recipients. 

  • Disposal: Vendors should dispose of Smartsheet Information in accordance with their data retention policy and the written contract between Smartsheet and such Vendor. 

Access 

Smartsheet believes that individuals have the right to (i) know what Personal Data about them is being stored and/or used by a Vendor, and (ii) correct, amend, or delete that Personal Data as they see fit, except: (i) where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, or (ii) where the rights of persons other than the individual would be violated. 

Recourse, Enforcement, and Liability

Vendors should be responsible for any inquiries or complaints regarding their privacy practices and are expected to provide individuals with a mechanism to submit such inquiries and complaints. If an individual is unable to resolve issues with a Vendor, Vendors are expected to provide a mechanism for such individuals to invoke binding arbitration and/or notify a competent data protection authority.

If any Vendor receives an inquiry or complaint on behalf of Smartsheet, Vendors should immediately forward such inquiry or complaint to Smartsheet at privacy@smartsheet.com

Staff Training and Sanctions

Vendors should only authorize their employees, contractors, or agents to process Smartsheet Information where such employees, contractors, and agents are bound to confidentiality or are under an appropriate statutory obligation of confidentiality. Vendors should subject any such employees, contractors, and agents who are found to be in violation of these Expectations to disciplinary action.

 

Security Incidents and Breaches of Smartsheet Information

Discovery of Breach

Vendors should notify Smartsheet immediately, and in any event within twenty-four (24) hours if they discover or suspect that there has been any “security incident” including any (i) lose, misuse, or unauthorized access, use, disclosure, modification, processing, disclosure, or destruction of Smartsheet Information, (ii) interference with system operations in an information system (whether Vendor’s or Smartsheet’s) that has access to Smartsheet Information, or (iii) any other act or omission which compromises the security, confidentiality, or integrity of Smartsheet Information. Notifications should be delivered to Smartsheet via email to privacy@smartsheet.com.

Breach Investigation

Vendors should manage the investigation and mitigation of any security incident, and coordinate with Smartsheet as appropriate to ensure the security incident has been remediated and will not reoccur. 

Additional Expectations for Lead Generation or Behavioral Advertising Companies and Event Coordination/Planning Companies

Lead Generation Companies

Vendors should ensure any Personal Data provided to Smartsheet has been collected lawfully, in accordance with Applicable Data Protection Laws and that any necessary consents have been acquired and noticed provided, including notifying individuals with respect to further transfer of Personal Data to Smartsheet. In addition, Vendors should be responsible for ensuring they have a lawful basis to enable the transfer of Personal Data to Smartsheet. 

Behavioral Advertising Companies

Smartsheet will only work with advertising networks that provide an opt-out from interest based ads, such as those networks that follow the principles set forth by National Advertising Initiative, Digital Advertising Alliance and/or the European Interactive Digital Advertising Alliance. 

Event Coordination and Planning Companies

Vendors should ensure all event participation coordination and planning, communications, websites, registration sites, invitations, material distributions, webinar recordings, photographs, and lead generation mechanisms meet Smartsheet's legal and privacy requirements for data collection, consent, and notification. Any collection of personal information must be collected lawfully, in accordance with Applicable Data Protection Laws and that any necessary consents have been acquired and notice provided, including notifying individuals with respect to further transfer of Personal Data to Smartsheet. Vendor will also ensure any follow-up communications and distribution of event materials after the event adheres to Smartsheet's marketing and privacy requirements. 
 

Definitions

“Applicable Data Protection Laws” means, to the extent applicable to a Party, the data protection or privacy laws of any country regarding the Processing of Personal Data.

"Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For clarification, Personal Data includes but is not limited to contact information such as a person’s name, email address and IP address.

“Smartsheet Information”  is any and all data obtained by or on behalf of a Vendor concerning or relating to Smartsheet, its business (including legal, financial, and compliance information), or its employees, customers, end-users, partners, or suppliers.

Further Questions Regarding these Expectations

Any additional questions should be directed to Smartsheet’s Privacy team at privacy@smartsheet.com.

Contact Smartsheet

 

help

 

For questions about Coupa onboarding contact procurement@smartsheet.com

For questions about invoicing contact accountspayable@smartsheet.com